[Openswan Users] 2 ip ranges in our end with OpenSwan
Indunil Jayasooriya
indunil75 at gmail.com
Tue Sep 2 10:33:38 EDT 2008
Hi Peter,
192.168.1.1/24 is the primary ip.
10.48.0.1/16 is the secondary ip to the same interface.
I have done SNAT. That is the situation on the firewall runnig openswan.
in that case, Will it be possible?
On 9/2/08, Peter McGill <petermcgill at goco.net> wrote:
> Indunil,
>
> Openswan does not NAT addresses, you cannot have a working conn
> with 10.48.0.0/16 on your side when your addresses are 192.168.1.0/24.
> You must use 192.168.1.0/24 which matches your lan. Unless your saying
> that you've added a second lan using 10.48.0.0/16. The output of ifconfig
> would help clarify your situation.
>
> And please turn these off, they produce a mountain of useless logs:
> #klipsdebug=none
> #plutodebug=none
>
> Peter
>
>
> Indunil Jayasooriya wrote:
> > Hi,
> >
> > I am running Openswan on Centos 5 firewall. On my side, I have only
> > one subnet that is 192.168.1.0/24. On the other side there are 4
> > subnets. We can conncect to those each other. it works fine.
> >
> > Now, The other side has added another subnet. They asked to use a
> > diffrent ip range to access it. they have given 10.48.0.0/16 to use
> > as the other ip range for ourt side.
> >
> > But, New ip range still cant access the other side.
> >
> > pls see my ipsec.conf file .
> >
> > [root at firewall ~]# cat /etc/ipsec.conf
> > # /etc/ipsec.conf - Openswan IPsec configuration file
> > #
> > # Manual: ipsec.conf.5
> > #
> > # Please place your own config files in /etc/ipsec.d/ ending in .conf
> >
> > version 2.0 # conforms to second version of ipsec.conf specification
> >
> > # basic configuration
> > config setup
> > interfaces=%defaultroute
> > # Debug-logging controls: "none" for (almost) none, "all" for
> lots.
> > klipsdebug=all
> > plutodebug=all
> > nat_traversal=yes
> >
> > conn tunnelipsec1
> > type=tunnel
> > left=220.247.213.202
> > leftsubnet=192.168.1.0/24
> > right=196.4.52.10
> > rightsubnet=196.4.49.0/24
> > esp=3des
> > authby=secret
> > keyexchange=ike
> > pfs=no
> > auto=start
> >
> > conn tunnelipsec2
> > type=tunnel
> > left=220.247.213.202
> > leftsubnet=192.168.1.0/24
> > right=196.4.52.10
> > rightsubnet=196.4.51.0/24
> > esp=3des
> > authby=secret
> > keyexchange=ike
> > pfs=no
> > auto=start
> >
> > conn tunnelipsec3
> > type=tunnel
> > left=220.247.213.202
> > leftsubnet=192.168.1.0/24
> > right=196.4.52.10
> > rightsubnet=10.10.99.0/24
> > esp=3des
> > authby=secret
> > keyexchange=ike
> > pfs=no
> > auto=start
> >
> > conn tunnelipsec4
> > type=tunnel
> > left=220.247.213.202
> > leftsubnet=192.168.1.0/24
> > right=196.4.52.10
> > rightsubnet=10.10.250.0/24
> > esp=3des
> > authby=secret
> > keyexchange=ike
> > pfs=no
> > auto=start
> >
> > conn tunnelipsec5
> > type=tunnel
> > left=220.247.213.202
> > leftsubnet=10.48.0.0/16
> > right=196.4.52.10
> > rightsubnet=10.254.0.0/16
> > esp=3des
> > authby=secret
> > keyexchange=ike
> > pfs=no
> > auto=start
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > I have addes belwo ip tables rules as well.
> >
> >
> > iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
> > iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
> > iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
> > iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
> > iptables -t nat -A POSTROUTING -o eth1 -d 10.254.0.0/16 -j ACCEPT
> >
> >
> > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT
> > --to-source 220.247.213.202
> > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.48.0.0/16 -j SNAT
> > --to-source 220.247.213.202
> >
> > We can access first 4 subnets of the other side with 192.168.1.0/24 ip
> > range. But, We ca not access the last subnet of the other side with
> > 10.48.0.0/16 ?
> >
> > Could you pls expalin why?
> >
> >
> >
> >
>
--
Thank you
Indunil Jayasooriya
More information about the Users
mailing list